- From: Ian Hickson <ian@hixie.ch>
- Date: Sat, 13 Dec 2008 00:09:27 +0000 (UTC)
On Fri, 12 Dec 2008, Martin Atkins wrote: > Ian Hickson wrote: > > On Fri, 12 Dec 2008, Bil Corry wrote: > > > > > Or maybe it'd be better if non-persistent cookies are removed once the > > > user no longer has an open tab to the site, instead of using a > > > JavaScript-based solution. > > > > This could be done now; I recommend bringing this up with browser vendors as > > a feature request. > > I'm not sure this is as easy as it first appears. For example, consider the > following case: > > * I have a single tab on site1 and I have a session cookie with them. > * I navigate from a page on site1 to site2 and site2 replaces site1 in my > single tab. > * I navigate from site2 back to site1. > > Have I now lost my session cookie? > > This scenario is particularly important for technologies that use redirects to > exchange data between domains, such as OpenID. > > Many OpenID implementations (for better or worse) use session cookies to > retain state while they do the OpenID transaction, which involves redirecting > the user away from your site to a URL on the provider's domain. If implemented > exactly as stated, the session cookie would presumably be deleted during the > OpenID transaction and the original site will break. If this was implemented like sessionStorage is specified, then the session cookie would only go away once the tab was completely closed, IIRC. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 12 December 2008 16:09:27 UTC